Microsoft 365 Security Best Practices for Connecticut Small Businesses

The Problem with Microsoft 365 Defaults

Microsoft 365 is the backbone of IT for the majority of small and medium-sized businesses in Connecticut — email, documents, Teams, calendars, file storage, all in one platform. It is a powerful, well-designed product. But it ships with default configurations that prioritize ease of setup and broad compatibility over security. For a West Hartford accounting firm or a Hartford County law practice handling sensitive data, those defaults create exploitable gaps.

According to Microsoft's own data, over 99.9% of compromised Microsoft 365 accounts did not have multi-factor authentication enabled at the time of breach. That is one statistic. The deeper reality is that Microsoft 365 tenants misconfigured with default settings are routinely exploited for business email compromise, data exfiltration, and ransomware staging — even when the organization believes it is "using Microsoft 365 securely."

This guide covers the 10 most important Microsoft 365 security configurations for Connecticut small businesses. Each setting is explained — what it does, why it matters, and how to implement it. These are not advanced enterprise controls. They are configurations that every business with a Microsoft 365 subscription should have in place.

1. Enforce Multi-Factor Authentication with Conditional Access

What it is: Conditional Access is Microsoft's policy engine for controlling who can access Microsoft 365 resources, from where, and under what conditions. It is the right way to enforce MFA — more flexible and enforceable than simply enabling the legacy "per-user MFA" setting.

Why it matters: Microsoft's baseline data is unambiguous: MFA blocks 99.9% of automated account compromise attempts. Conditional Access lets you require MFA for all users, all apps, from all locations — or apply it conditionally based on risk signals (unfamiliar location, new device, high-risk sign-in).

How to implement:

• In the Entra admin center (formerly Azure AD), navigate to Protection > Conditional Access
• Create a policy requiring MFA for all users and all cloud apps (start with "report-only" mode to see what would be blocked before enforcing)
• Require Microsoft Authenticator (push notification or passwordless phone sign-in) rather than SMS codes
• Exclude break-glass emergency admin accounts from the policy (but monitor those accounts closely)
• Enable the "Microsoft managed policies" baseline protections that Microsoft now offers for eligible tenants

License requirement: Conditional Access requires Entra ID P1, which is included in Microsoft 365 Business Premium. If you are on Business Basic or Business Standard, you can still enable per-user MFA (less granular but still effective) and Security Defaults (Microsoft's free baseline settings).

2. Enable Microsoft Defender for Business

What it is: Microsoft Defender for Business is endpoint detection and response (EDR) built into Microsoft 365 Business Premium. It replaces basic antivirus with behavioral threat detection, automated investigation and response, and centralized security management.

Why it matters: Standard antivirus signatures cannot catch modern ransomware and fileless malware. Defender for Business monitors endpoint behavior — if something starts behaving like ransomware (mass file encryption, unusual process activity), it stops it and alerts your IT team. A 2024 AV-TEST evaluation found Defender for Business blocked 100% of real-world malware samples in testing.

How to implement:

• In the Microsoft 365 Defender portal (security.microsoft.com), navigate to Endpoints > Device inventory
• Onboard Windows devices using the simplified configuration wizard in Defender for Business
• Enable tamper protection to prevent malware from disabling Defender
• Configure attack surface reduction (ASR) rules — start in audit mode to identify impact before enforcing
• Set up email alert notifications for high-severity detections to go to your IT provider or internal IT contact

3. Establish and Monitor Your Microsoft Secure Score Baseline

What it is: Microsoft Secure Score is a measurement of your organization's security posture based on your current Microsoft 365 configuration. Each recommended action has a point value, and your score reflects how many of those recommendations you have implemented.

Why it matters: Secure Score gives you a prioritized to-do list of security improvements with clear implementation guidance. For Connecticut businesses under HIPAA, CTDPA, or other compliance frameworks, it also helps demonstrate to auditors and insurers that you are actively managing your security posture. The average Secure Score for SMBs is around 40–50%; a well-configured tenant should score 70%+.

How to implement:

• Access Secure Score at security.microsoft.com > Secure score
• Review the recommended actions sorted by "Score impact" to prioritize highest-value improvements
• Set a target score and establish a quarterly review to track progress
• Use the Secure Score comparison feature to benchmark against similar organizations

4. Configure Email Authentication: SPF, DKIM, and DMARC

What it is: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are DNS-based email authentication protocols that prevent attackers from spoofing your domain in phishing emails.

Why it matters: Business Email Compromise (BEC) — where attackers impersonate your domain to deceive employees, customers, or vendors — caused $2.9 billion in losses in 2023 according to the FBI IC3. Without DMARC in enforcement mode, anyone can send email that appears to come from your domain. A Hartford County vendor wiring funds to a spoofed email from your domain has no technical warning that the email is fraudulent.

How to implement:

• SPF: Add a TXT record to your DNS zone listing all authorized sending IP addresses and services for your domain (Microsoft 365 has specific SPF values to include)
• DKIM: Enable DKIM signing in the Microsoft 365 Defender portal under Email & Collaboration > Policies & Rules > Threat policies > DKIM
• DMARC: Add a DMARC TXT record to your DNS. Start with p=none (monitoring only) to see what mail would fail. After validating, move to p=quarantine, then p=reject. DMARC reports delivered to an email address (or a DMARC reporting service) help you understand your email sending landscape.

5. Enable Microsoft Defender for Office 365 (Safe Links and Safe Attachments)

What it is: Defender for Office 365 Plan 1 adds advanced anti-phishing, safe links (URL scanning at time of click, not just at delivery), and safe attachments (sandboxing of email attachments before delivery). It is included in Microsoft 365 Business Premium.

Why it matters: Standard Exchange Online Protection (included in all Microsoft 365 plans) catches obvious spam and known-bad attachments. Defender for Office 365 catches sophisticated phishing that evades standard filtering — including zero-day malware attachments and time-of-click URL redirects. The Verizon 2024 DBIR found phishing involved in 41% of breaches; Defender for Office 365 is specifically designed to close that gap.

How to implement:

• In Microsoft 365 Defender > Email & Collaboration > Policies & Rules, configure Safe Attachments to "Block" mode for all users
• Configure Safe Links to "On" with real-time URL scanning for email messages and Microsoft Teams
• Enable anti-phishing policies with impersonation protection for key executives and your domain
• Configure the "Strict" preset security policy for your highest-risk users (executives, finance, HR)

6. Separate Admin Accounts from User Accounts

What it is: Global Administrator and other privileged Microsoft 365 accounts should be dedicated accounts used only for administrative tasks — not the same accounts that check email, browse the web, and access everyday business applications.

Why it matters: When an admin account is compromised via phishing or malware, the attacker gets Global Admin privileges — they can add new accounts, access all email, disable security controls, and extract all organizational data. If administrators use separate, dedicated admin accounts for privileged tasks, a compromised daily-use account cannot reach administrative functions.

How to implement:

• Create dedicated admin accounts in the format admin-firstname@yourdomain.com for any user who needs admin access
• Do not assign Global Administrator to anyone without explicit business need — use least-privilege roles (Exchange Administrator, SharePoint Administrator, etc.) wherever possible
• Require MFA on all admin accounts — consider hardware security keys (FIDO2) for Global Admins
• Create at least two break-glass emergency admin accounts with strong, stored-securely passwords and monitor any sign-in to those accounts with an alert
• Enable Privileged Identity Management (PIM) if you have Microsoft Entra ID P2 licensing — this requires just-in-time elevation for admin access

7. Configure Guest Access Controls in Teams and SharePoint

What it is: By default, Microsoft 365 Business tenants allow relatively permissive guest access — external users can be invited to Teams channels, SharePoint sites, and shared folders. Without proper controls, sensitive internal information can be shared too broadly.

Why it matters: Guest access misconfiguration is a common source of data leakage. An employee inviting a vendor to a Teams channel that also contains HR documents or financial data can inadvertently expose confidential information. For Connecticut businesses subject to CTDPA or HIPAA, this creates compliance exposure.

How to implement:

• In SharePoint admin center and Teams admin center, configure guest access to require approval for external sharing
• Set external sharing policies at the SharePoint level to "Existing guests" or "Specific people" rather than "Anyone"
• Require guests to authenticate (not allow anonymous link sharing for sensitive sites)
• Set expiration on guest access (e.g., 90 days with renewal required) so former vendor contacts do not retain indefinite access
• Use sensitivity labels on SharePoint sites and Teams to mark and protect confidential content, restricting sharing automatically

8. Enable Audit Logging and Alerts

What it is: Microsoft 365 audit logging records user and admin activity across Exchange Online, SharePoint, OneDrive, Teams, and Entra ID. By default, audit logging should be enabled in Microsoft 365 Business Premium tenants, but it should be verified and alert policies should be configured.

Why it matters: When a breach occurs, audit logs are the forensic record that tells you what happened, when, and from where. Without audit logging, investigating a breach is nearly impossible. Many HIPAA and Connecticut CTDPA investigations specifically look for evidence of monitoring and audit capability. Additionally, proactive alert policies can notify you of suspicious activity — mass email deletion, unusual admin actions, large-volume file downloads — before a breach becomes a crisis.

How to implement:

• Verify audit logging is enabled: Microsoft Purview compliance portal > Audit > verify the audit log search is active
• Configure audit log retention — default is 90 days for most plans; Business Premium extends to 1 year; for compliance-sensitive businesses, consider the Microsoft Purview Audit (Premium) add-on for 10-year retention
• Set up alert policies in Microsoft 365 Defender for high-severity events: admin privilege escalation, mass file deletion, forwarding rules created (a common sign of Business Email Compromise), impossible travel sign-ins
• Route alerts to your IT provider or a monitored email address so they are acted upon

9. Implement Basic Data Loss Prevention (DLP)

What it is: Data Loss Prevention policies in Microsoft 365 detect and prevent the sharing of sensitive information (Social Security numbers, credit card numbers, health information, financial account data) via email, Teams, or SharePoint.

Why it matters: For Connecticut businesses subject to CTDPA, HIPAA, or PCI DSS, DLP is a technical control that actively prevents accidental or malicious data exfiltration. According to a 2024 Tessian study, 40% of employees have accidentally sent an email to the wrong person. DLP catches those mistakes before they become breaches.

How to implement:

• In Microsoft Purview compliance portal > Data loss prevention, create policies using Microsoft's built-in sensitive information types for your relevant regulations (HIPAA, PCI, SSNs)
• Start in "Audit only" mode to see what would be flagged before enabling blocking
• Configure policies to: warn users when they are about to share sensitive content externally, block sharing of high-confidence sensitive content, and send alerts to your compliance officer or IT team
• Apply DLP policies to Exchange (email), SharePoint, OneDrive, and Teams

10. Back Up Your Microsoft 365 Data (Microsoft Does Not Do This For You)

What it is: Microsoft 365 provides service availability and short-term recycle bin recovery. It does not provide long-term data backup. Microsoft's shared responsibility model explicitly states that data backup is the customer's responsibility.

Why it matters: If an employee accidentally deletes three years of client email, or ransomware corrupts your OneDrive, or a disgruntled former employee purges files on their way out, Microsoft's native tools have limited recovery windows (typically 30–93 days for the recycle bin, with some data potentially unrecoverable after). For Connecticut businesses under any compliance framework — CTDPA, HIPAA, legal records retention requirements — you cannot rely on Microsoft's short-term retention as your backup strategy.

How to implement:

• Deploy a third-party Microsoft 365 backup solution: Veeam Backup for Microsoft 365, Acronis Cyber Backup, Barracuda Backup for Microsoft 365, or Datto SaaS Protection are all reputable options
• Back up Exchange Online (email), SharePoint Online, OneDrive for Business, and Teams data
• Establish a retention period that meets your compliance obligations (HIPAA requires 6 years for most records; Connecticut legal records retention varies by matter type)
• Test your restore process quarterly — verify that you can recover individual emails, files, and SharePoint content on demand

Connecticut Compliance Context

For Connecticut businesses, the Microsoft 365 security configurations described above are not just security best practices — they directly map to regulatory requirements. HIPAA-covered entities (healthcare providers in Hartford County and across Connecticut) need MFA, encryption, audit logging, DLP, and backup as technical safeguards. Businesses subject to CTDPA need data inventory capability (enabled by audit logs and DLP), breach detection (enabled by security alerts and EDR), and appropriate security programs (enabled by Secure Score improvement and Defender configuration). Financial services firms regulated at the state or federal level need access controls, audit trails, and email security.

A well-configured Microsoft 365 tenant is not compliance in itself, but it is a substantial foundation. An IT provider that understands both the technical configuration of Microsoft 365 and the regulatory context for your industry can help you close compliance gaps efficiently.

Frequently Asked Questions

Do we need Microsoft 365 Business Premium to implement all of these settings?

Business Premium provides the broadest security feature set and is what we recommend for most Connecticut SMBs. However, some configurations (MFA via Security Defaults, DKIM/SPF/DMARC) are available at any Microsoft 365 tier. Defender for Business and Conditional Access require Business Premium or higher. For businesses on Business Basic or Standard, upgrading to Business Premium is almost always worth the per-user cost difference given the security capabilities it adds.

How do we know if our current Microsoft 365 configuration is secure?

Check your Microsoft Secure Score (security.microsoft.com > Secure score). A score below 50% indicates significant gaps. You can also ask your IT provider to run a Microsoft 365 security assessment — most reputable MSPs in Connecticut offer this as a free evaluation.

Does Microsoft 365 comply with HIPAA out of the box?

Microsoft 365 can be configured to support HIPAA compliance, and Microsoft will sign a Business Associate Agreement (BAA) for applicable Microsoft 365 services. However, the configuration is not HIPAA-compliant by default. You must implement MFA, audit logging, DLP, encryption settings, and appropriate access controls — and you must have a signed BAA with Microsoft in place. HIPAA compliance is a shared responsibility between Microsoft's platform capabilities and your organization's configuration choices.

Can we manage all of this ourselves, or do we need an IT provider?

The configurations described here are feasible for an experienced IT administrator. However, for most Connecticut SMBs without dedicated IT staff, a managed IT provider who specializes in Microsoft 365 security will implement these settings faster, correctly the first time, and maintain them as the platform evolves. Microsoft 365 security settings change frequently as new features are introduced and attack techniques evolve — this is not a one-time setup exercise.

Sentium Tech provides Microsoft 365 security configuration, management, and monitoring for Connecticut businesses throughout Hartford County and beyond. We include a full Microsoft 365 security review in our free IT assessment — covering Secure Score, configuration gaps, backup status, and compliance readiness. Contact us to schedule your free assessment and see exactly where your Microsoft 365 tenant stands today.